msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:28b246d280ff19e8c501a9673ac1839e5a5393b16893f5e6c532c72e2e2a39d7
Branches Tags
msw:master
..
compare: msw:master
Branches Tags
msw:master

5 Commits
28b246d280 ... master

Author SHA256 Message Date
Marc S. Weidner BOT
aa94c53d65 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa

Generated at : 2025-10-26T18:19:48Z
Runner Host  : 6f8f9a786bfa
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : aef00ec HEAD -> master
 2025-10-26 18:19:48 +00:00
Marc S. Weidner
aef00ec63d V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m59s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 18:17:28 +00:00
Marc S. Weidner BOT
71d189e2c7 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@403a70a at 2025-10-26T17:24:00Z on 8f92a12ee776

Generated at : 2025-10-26T17:24:00Z
Runner Host  : 8f92a12ee776
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 403a70a HEAD -> master
 2025-10-26 17:24:00 +00:00
Marc S. Weidner
403a70a886 Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m49s
Details
2025-10-26 17:22:09 +00:00
Marc S. Weidner
3d39f44c75 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-26 17:21:58 +00:00
10 changed files with 78 additions and 42 deletions
Expand all files Collapse all files

1
.preseed/mfa_master.txt
View File

@@ -1 +0,0 @@
7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

1
.preseed/password_grub.txt
View File

@@ -1 +0,0 @@
PleASE_CHan3e_M!

5
.preseed/preseed.yaml
View File

@@ -454,7 +454,7 @@ grub:
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS. # some other OS, which is less safe as it might not be able to boot that other OS.
password: true # If you want to set a password for GRUB. The password MUST be set at: password: true # If you want to set a password for GRUB. The password MUST be set at:
# '/.preseed/password_grub.txt'. # '/.preseed/SECRETS.yaml'.
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future. # may still wish to enable it in case you install more in the future.
skip: false # Skip installing grub. skip: false # Skip installing grub.
@@ -839,9 +839,6 @@ ssh:
# User settings # User settings
################################################################################################################################ ################################################################################################################################
user: user:
mfa:
info: "totp:v1"
salt: "CISS:CDI:OTP" # + (Server_FQDN/Username)
############################################################################################################################## ##############################################################################################################################
# Root: The superuser account (normally disabled for direct login). # Root: The superuser account (normally disabled for direct login).
# Key 'user.root.password' MUST contain a valid yescrypt hashed password string. # Key 'user.root.password' MUST contain a valid yescrypt hashed password string.

2
LINTER_RESULTS.txt
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-10-26T17:21:50Z". This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
⚠️ The last linter check was NOT successful. ⚠️ ⚠️ The last linter check was NOT successful. ⚠️

4
func/cdi_1250_yaml/1256_yaml_xfiles.sh
View File

@@ -50,6 +50,7 @@ ciss_secrets_unset() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_k="" var_v="" declare var_k="" var_v=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
for var_k in "${!CISS_SECRETS_MAP[@]}"; do for var_k in "${!CISS_SECRETS_MAP[@]}"; do
@@ -67,6 +68,7 @@ ciss_secrets_unset() {
CISS_SECRETS_MAP=() CISS_SECRETS_MAP=()
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0 return 0
} }
@@ -154,6 +156,7 @@ yaml_secret() {
__umask=$(umask) __umask=$(umask)
umask 0077 umask 0077
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false" secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
@@ -258,6 +261,7 @@ yaml_secret() {
umask "${__umask}" umask "${__umask}"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_dir; return 0 guard_dir; return 0
} }

2
func/cdi_1250_yaml/1257_yaml_xnuke.sh
View File

@@ -25,6 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# ERR_GENERATE_SALT: on failure # ERR_GENERATE_SALT: on failure
####################################### #######################################
nuke_passphrase() { nuke_passphrase() {
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
@@ -62,6 +63,7 @@ nuke_passphrase() {
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]" do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_dir; return 0 guard_dir; return 0
} }

8
func/cdi_3200_partitioning/3220_partition_encryption.sh
View File

@@ -68,20 +68,24 @@ partition_encryption() {
declare -a ary_luks_opts=() declare -a ary_luks_opts=()
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt" printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt" printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
guard_trace on guard_trace on
### SECRETS handling ---------------------------------------------------------------------------------------------------------
if [[ -n "${VAR_LUKS_URL}" ]]; then if [[ -n "${VAR_LUKS_URL}" ]]; then
VAR_LUKS_URL=${VAR_LUKS_URL%/} VAR_LUKS_URL=${VAR_LUKS_URL%/}
### SECRETS handling -------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}" var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
unset CISS_SECRET_LUKS_BACKUP unset CISS_SECRET_LUKS_BACKUP
guard_trace on guard_trace on
### SECRETS handling -------------------------------------------------------------------------------------------------------
do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set." do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
@@ -272,6 +276,7 @@ partition_encryption() {
if [[ -n "${VAR_LUKS_URL}" ]]; then if [[ -n "${VAR_LUKS_URL}" ]]; then
### SECRETS handling ---------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \ if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
@@ -288,6 +293,7 @@ partition_encryption() {
fi fi
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------
fi fi
@@ -295,9 +301,11 @@ partition_encryption() {
done done
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
[[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt" ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt" ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"

13
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Append the GRUB superuser block to '/etc/grub.d/40_custom'. # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals: # Globals:
# DIR_CNF # CISS_SECRET_GRUB
# TARGET # TARGET
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_READ_GRUB_FILE # ERR_READ_GRUB_FILE: on failure
####################################### #######################################
update_grub_password() { update_grub_password() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \ declare var_username="superadmin" var_password="" \
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry="" var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}" var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
unset CISS_SECRET_GRUB
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}") var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
### Append if not already present. ### Append if not already present.
if ! grep -q "set superusers=" "${var_of}"; then if ! grep -q "set superusers=" "${var_of}"; then
@@ -56,6 +59,8 @@ readonly -f update_grub_password
####################################### #######################################
# Generate PBKDF2 password hash for GRUB. # Generate PBKDF2 password hash for GRUB.
# Globals:
# None
# Arguments: # Arguments:
# 1: Username (default to superadmin). # 1: Username (default to superadmin).
# 2: User password. # 2: User password.

63
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Updating root account and generation user accounts. # Updating root account and generation user accounts.
# Globals: # Globals:
# CISS_SECRET_USER_ROOT_PASSWORD
# CISS_SECRET_USER_ROOT_SSHPUBKEY
# LOG_ERR
# RECOVERY # RECOVERY
# TARGET # TARGET
# VAR_RUN_RECOVERY # VAR_RUN_RECOVERY
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# user_root_authentication_access_ssh # user_root_authentication_access_ssh
# user_root_authentication_access_tty # user_root_authentication_access_tty
# user_root_authentication_password # user_root_authentication_password
# user_root_password
# user_root_sshpubkey
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -152,7 +153,9 @@ EOF
esac esac
### 4) Check the password policy for the 'root' account. ### 4) Check the password policy for the 'root' account.
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e" chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
do_log "info" "file_only" "4520() User: 'root' password: inserted."
unset CISS_SECRET_USER_ROOT_PASSWORD
case "${user_root_authentication_password,,}" in case "${user_root_authentication_password,,}" in
@@ -174,9 +177,10 @@ EOF
esac esac
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'. ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${user_root_sshpubkey:-}" ]]; then if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys" printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
unset CISS_SECRET_USER_ROOT_SSHPUBKEY
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted." do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
fi fi
@@ -231,8 +235,8 @@ EOF
tmp_uid="user_user${i}_uid" tmp_uid="user_user${i}_uid"
tmp_gid="user_user${i}_gid" tmp_gid="user_user${i}_gid"
tmp_shell="user_user${i}_shell" tmp_shell="user_user${i}_shell"
tmp_password="user_user${i}_password" tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
tmp_sshpubkey="user_user${i}_sshpubkey" tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
tmp_access_tty="user_user${i}_authentication_access_tty" tmp_access_tty="user_user${i}_authentication_access_tty"
tmp_auth_pwd="user_user${i}_authentication_password" tmp_auth_pwd="user_user${i}_authentication_password"
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh" tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
@@ -450,6 +454,7 @@ EOF
find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} + find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
### 9) Final status logging. ### 9) Final status logging.
unset var_password var_sshpubkey
do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]" do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
done done
@@ -460,8 +465,6 @@ EOF
fi fi
unset VAR_TEMP_PLAIN_MFA_SEED
if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf" printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
@@ -471,6 +474,8 @@ EOF
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf" printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config" printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
unset VAR_TEMP_PLAIN_MFA_SEED
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
@@ -511,12 +516,12 @@ readonly -f eza_installer
####################################### #######################################
# Generates a deterministic TOTP secret based on: # Generates a deterministic TOTP secret based on:
# Username, FQDN, MFA salt, MFA master seed # Username, FQDN, MFA salt, MFA master seed
# Globals: # Globals:
# CISS_SECRET_SEEDS_MFA_INFO
# CISS_SECRET_SEEDS_MFA_SALT
# VAR_FINAL_FQDN # VAR_FINAL_FQDN
# VAR_TEMP_PLAIN_MFA_SEED # VAR_TEMP_PLAIN_MFA_SEED
# user_mfa_info
# user_mfa_salt
# Arguments: # Arguments:
# 1: Username # 1: Username
# Returns: # Returns:
@@ -526,10 +531,11 @@ generate_totp_secret() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_user="${1}" declare var_user="${1}"
declare var_host_id="${VAR_FINAL_FQDN}" declare var_host_id="${VAR_FINAL_FQDN}"
declare var_salt="${user_mfa_salt}:${var_host_id}:${var_user}" declare var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
declare var_info="${user_mfa_info}" declare var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
declare var_secret="" declare var_secret=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding). ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
@@ -550,6 +556,7 @@ generate_totp_secret() {
printf '%s\n' "${var_secret}" printf '%s\n' "${var_secret}"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0 return 0
} }
@@ -717,33 +724,31 @@ EOF
readonly -f hardening_sudo readonly -f hardening_sudo
####################################### #######################################
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED. # Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
# Globals: # Globals:
# DIR_CNF # CISS_SECRET_SEEDS_MFA_SECRET
# VAR_TEMP_PLAIN_MFA_SEED # VAR_TEMP_PLAIN_MFA_SEED
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_READ_SEED_FILE # ERR_READ_SEED_FILE: on failure
####################################### #######################################
read_totp_seed(){ read_totp_seed(){
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
declare -g VAR_TEMP_PLAIN_MFA_SEED="" declare -g VAR_TEMP_PLAIN_MFA_SEED=""
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
unset CISS_SECRET_SEEDS_MFA_SECRET
return "${ERR_READ_SEED_FILE}"
fi
### Validate: exactly 64 hex. ### Validate: exactly 64 hex.
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}" [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
return 0 return 0
} }
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
write_google_authenticator_file() { write_google_authenticator_file() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}" declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
declare var_secret="" declare -i i=0
declare var_secret="" __umask=""
__umask=$(umask)
case "${1}" in case "${1}" in
root) declare var_base="${var_target}/root" ;; root) declare var_base="${var_target}/root" ;;
*) declare var_base="${var_target}/home/${var_user}" ;; *) declare var_base="${var_target}/home/${var_user}" ;;
esac esac
declare -i i=0
### SECRETS handling ---------------------------------------------------------------------------------------------------------
guard_trace on guard_trace on
var_secret="$(generate_totp_secret "${var_user}")" var_secret="$(generate_totp_secret "${var_user}")"
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
} >| "${DIR_TMP}/TOTP_${var_user}.secret" } >| "${DIR_TMP}/TOTP_${var_user}.secret"
chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret" chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
umask 0022
guard_trace off guard_trace off
### SECRETS handling ---------------------------------------------------------------------------------------------------------
umask "${__umask}"
return 0 return 0
} }

21
lib/cdi_0050_debug/0051_debug_var_dump.sh
View File

@@ -13,11 +13,13 @@
guard_sourcing || return "${ERR_GUARD_SOURCE}" guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Capture an initial snapshot of all variables (excluding '^(BASH|_).*'). # Capture an initial snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
# Globals: # Globals:
# VAR_DUMP_VARS_INITIAL # VAR_DUMP_VARS_INITIAL
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
dump_vars_initial() { dump_vars_initial() {
# shellcheck disable=SC2312 # shellcheck disable=SC2312
@@ -25,12 +27,16 @@ dump_vars_initial() {
declare var declare var
while IFS= read -r var; do while IFS= read -r var; do
declare -p "${var}" 2> /dev/null declare -p "${var}" 2> /dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*') done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
} | sort >| "${VAR_DUMP_VARS_INITIAL}" } | sort >| "${VAR_DUMP_VARS_INITIAL}"
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dump_vars_initial
####################################### #######################################
# Capture the final snapshot of all variables (excluding '^(BASH|_).*'). # Capture the final snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
# Globals: # Globals:
# LOG_VAR # LOG_VAR
# VAR_DUMP_VARS_FINAL # VAR_DUMP_VARS_FINAL
@@ -38,6 +44,8 @@ dump_vars_initial() {
# VAR_VERSION # VAR_VERSION
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
dump_vars_exiting() { dump_vars_exiting() {
set +x set +x
@@ -46,7 +54,7 @@ dump_vars_exiting() {
declare var declare var
while IFS= read -r var; do while IFS= read -r var; do
declare -p "${var}" 2>/dev/null declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*') done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
} | sort >| "${VAR_DUMP_VARS_FINAL}" } | sort >| "${VAR_DUMP_VARS_FINAL}"
set -x set -x
@@ -71,5 +79,10 @@ dump_vars_exiting() {
set -x set -x
rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}" rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}"
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dump_vars_exiting
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh